In my last post, I mentioned that someone was complaining about the name of the bowser.sys component that I wrote 20 years ago. In my post, I mentioned that he included a screen shot of the event viewer.

What was also interesting thing was the contents of the screen shot.

“The browser driver has received too many illegal datagrams from the remote computer <redacted> to name <redacted> on transport NetBT_Tcpip_<excluded>. The data is the datagram. No more events will be generated until the reset frequency has expired.”

I added this message to the browser 20 years ago to detect computers that were going wild sending illegal junk on the intranet. The idea was that every one of these events indicated that something had gone horribly wrong on the machine which originated the event and that a developer or network engineer should investigate the problem (these illegal datagrams were often caused by malfunctioning networking hardware (which was not uncommon 20 years ago)).

But you’ll note that the person reporting the problem only complained about the name of the source of the event log entry. He never bothered to look at the contents of this “error” event log entry to see if there was something that was worth reporting.

Part of the reason that nobody bothers to read the event logs is that too many components log to the eventlog. The event logs on customers computers are filled with unactionable meaningless events (“The <foo> service has started. The <foo> service has entered the running state. The <foo> service is stopping. The <foo> service has entered the stopped state.”). And they stop reading the event log because there’s never anything actionable in the logs.

There’s a pretty important lesson here: Nobody ever bothers reading event logs because there’s simply too much noise in the logs. So think really hard about when you want to write an event to the event log. Is the information in the log really worth generating? Is there important information that a customer will want in those log entries?

Unless you have a way of uploading troublesome logs to be analyzed later (and I know that several enterprise management solutions do have such mechanisms), it’s not clear that there’s any value to generating log entries.

The name of the service is (intentionally) bowser and has been so for many releases.

My response:

“many releases”. That cracks me up. If I had known that I would literally spend the next 20 years paying for that one joke, I would have reconsidered it.

And yes, bowser.sys has been in the product for 20 years now.

So take this as an object lesson. Avoid humorous names in your code or you’ll be answering questions about them for the next two decades and beyond. If I had named the driver “brwsrhlp.sys” (at that point setup limited us to 8.3 file names) instead of “bowser.sys” it would never have raised any questions. But I chose to go with a slightly cute name and…

PS: After posting this, several people have pointed out that the resources on bowser.sys indicate that it's name should be "browser.sys". And they're right. To my knowledge, nobody has noticed that in the past 20 years...